Production Checklist

Follow best practices when using Engine in a production environment.

Security

  • The Engine API is intended to be called from your backend only. Ensure your access tokens are not accessible from your frontend.
  • Securely store access tokens and the thirdweb secret key. Rotate these credentials if they are compromised.
  • Use labels to keep track of your wallets, admins, and access tokens.
  • Use access token with expirations to grant time-bound access.
  • Regularly review the admins list to remove inactive and former team members.

Backend wallets

  • Recommended: Use a wallet backed by AWS KMS or Google KMS. Wallet access is always recoverable and private keys are never exposed.
  • If using a local wallet: back up the private key. Engine cannot recover private keys if the encrypted stored data is lost or corrupted.
  • Ensure your backend wallets have sufficient funds. Use wallet webhooks to alert when your gas balance is low.